Network logs

Customers can view logs of all the network appliances from a single pane of glass, enabling quick troubleshooting. You can view audit and device logs.

Audit logs

Audit logs capture the action, time, and result of the action performed by users in the customer network.

Network audit logs

Device logs

Customers can view the device logs that are specific to sites.

You can select specific device logs, download it, and share it with site admins if necessary.

Network device logs

Security Logs

In the Citrix SD-WAN appliance, the Edge Security events are logged in the SDWAN_advanced_firewall.log file. The log file is periodically rotated based on the size, with up to 23 archives or a day’s worth of logs remaining, whichever is less. For example, consider the following two use cases:

  • If the log file fills up at a rate of 1GB per 20 transactions (log entries), logs for approximately 8 hours is available, in the appliance, at any given time.
  • If the log file fills up at a rate of 1GB per hour or slower, logs for exactly a day is available in the appliance.

Note

The size threshold for log rotation depends on the appliance. For Citrix SD-WAN 1100 appliance the log rotation size threshold is 1GB.

To receive the security logs from the Citrix SD-WAN appliance, in the appliance UI, navigate to Configuration > Appliance Settings > Logging/Monitoring > Syslog Server and ensure that the Firewall Logs to Syslog option is enabled.

Retrieval from orchestrator

Similar to other appliance log files, you can retrieve the Edge Security firewall logs from Citrix SD-WAN Orchestrator. At the network level, navigate to Troubleshooting > Device Logs, select a site with Edge Security enabled, select the Advanced Firewall logs you want to download and click Download.

Network troubleshooting

Exporting to external syslog server

If an external syslog server is configured on the appliance UI (Appliance Settings > Logging/Monitoring > Syslog server) Edge Security logs are generated and offloaded to this server.

Log entries

This section provides an overview of the various log entries in this file.

HTTP(S) events

HTTP(S) log entries capture user activity related to HTTP and / or HTTPS request. The table below describes the various fields in an HTTP log entry.

Field Name Description
timestamp The time of the event, without Time Zone
session_id The session identifier, allows correlation with session events
policy The configured security policy
client_address The source IP address (client-side)
client_port The source port (client-side)
server_address The destination IP address (server-side)
server_port The destination port address (server-side)
method The HTTP method, (for example, G for GET)
uri The HTTP URI, with stripped query strings; this field is limited to 512 bytes
host The HTTP hostname
web_filter_reason The reason for which Web Filter blocked/flagged the request
web_filter_category_id The numeric category according to Web Filter
web_filter_blocked If Web Filter blocked this request, true if blocked false otherwise
virus_blocker_clean The cleanliness of the file according to Anti-Malware, null if missing
virus_blocker_name The name of the malware according to Anti-Malware, null if missing
event_type The marker for the HTTP and HTTPS records (HTTP(s))

A typical log entry for an allowed request is as follows:

timestamp=2020-05-14T15:19:46 session_id=104156851843561 policy=aitwlos client_address=172.30.0.16 client_port=43474 server_address=147.102.222.211 server_port=80 method=G uri=/pub/linux/centos/8.1.1911/isos/x86_64/CentOS-8.1.1911-x86_64-dvd1.iso host=ftp.ntua.gr web_filter_reason=N web_filter_category_id=40 web_filter_blocked=false virus_blocker_clean=null virus_blocker_name=null event_type=HTTP(s)

In case a request is blocked by the web-filtering application the web_filter_blocked field is set to TRUE.

timestamp=2020-05-21T17:53:33 session_id=104201346751521 policy=profile_1 client_address=192.168.0.2 client_port=50666 server_address=13.227.223.5 server_port=443 method=G uri=/ host=www.espn.com web_filter_reason=D web_filter_category_id=42 web_filter_blocked=true virus_blocker_clean=null virus_blocker_name=null event_type=HTTP(s)

In case a request is blocked by the Anti-Malware module, the malware name is populated in the respective field.

timestamp=2020-05-26T09:01:35 session_id=104233671000368 policy=profile_2 client_address=192.168.0.4 client_port=33453 server_address=213.211.198.58 server_port=80 method=G uri=/download/eicar.com.txt host=2016.eicar.org web_filter_reason=N web_filter_category_id=56 web_filter_blocked=false virus_blocker_clean=false virus_blocker_name=EICAR-Test-File event_type=HTTP(s)

FTP events

The FTP log entries capture user activity related to FTP requests. The table below describes the various fields in an FTP log entry:

Field Name Description
client_address The source IP address (client-side)
method The FTP method
policy The configured security policy
server_address The destination IP address (server-side)
session_id The session, allows correlation with sessions
timestamp The time of the event, without Time Zone
uri The FTP URI
virus_blocker_clean The cleanliness of the file according to Anti-Malware
virus_blocker_name The name of the malware according to Anti-Malware

A typical log entry for an FTP request is as follows:

timestamp=2020-05-26T12:38:58 session_id=104228434064675 policy=Profile2 client_address=192.168.0.2 server_address=192.168.1.2 method=null uri=eicar.exe virus_blocker_clean=false virus_blocker_name=EICAR-Test-File event_type=FTP

SMTP events

The SMTP log entries capture user activity related to unencrypted email, sent using the SMTP protocol. The table below describes the various fields in an SMTP log entry:

Field Name Description
timestamp The time of the event, without Time Zone
session_id The session, allows correlation with sessions
policy The configured security policy
client_address The source IP address (client-side)
client_port The source port (client-side)
server_address The destination IP address (server-side)
server_port The destination port address (server-side)
msg_id The message Identifier
subject The email subject
sender The address of the sender
receiver The address of the receiver
virus_blocker_clean The cleanliness of the file according to Anti-Malware
virus_blocker_name The name of the malware according to Anti-Malware

A typical log entry for an SMTP request with virus is as follows:

timestamp=2020-05-25T16:29:14 session_id=104229438357679 policy=Profile1 client_address=192.168.0.3 client_port=54867 server_address=192.168.1.2 server_port=25 msg_id=104229438357614 subject=Subject Greetings sender=John@gerasi-prod-pp receiver=null virus_blocker_clean=false virus_blocker_name=EICAR-Test-File event_type=SMTP

A typical log entry for an SMTP request without virus is as follows:

timestamp=2020-05-25T16:29:05 session_id=104229438357678 policy=Profile1 client_address=192.168.0.3 client_port=40467 server_address=192.168.1.2 server_port=25 msg_id=104229438357613 subject=Subject Greeting sender=John@gerasi-prod-pp receiver=null virus_blocker_clean=true virus_blocker_name=null event_type=SMTP

Session events

The Session log entries capture user activity at a TCP layer. They complement HTTP, FTP and SMTP events by providing insight with regards to TCP session termination timestamp.

Field Name Description
timestamp The time of the event, without Time Zone
session_id The session identifier
end_time The time the session ended, timestamp without Time Zone
policy The configured security policy
client_address The source IP address (client-side)
client_port The source port (client-side)
server_address The destination IP address (server-side)
server_port The destination port address (server-side)
ssl_ruleid The matching rule in SSL Inspector rule, null if missing
ssl_status The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED), null if missing
ssl_details Additional text detail about the SSL connection (SNI, IP), null if missing
event_type Two possible values: new_session or session_closed

A typical log entry for a new session event is as follows:

timestamp=2020-05-21T18:49:46 session_id=104201346751773 end_time=2020-05-21T18:49:46 policy=profile1 client_address=192.168.0.2 client_port=37496 server_address=13.227.223.124 server_port=443 ssl_ruleid=null ssl_status=null ssl_details=null event_type=new_session

A typical log entry for a closed session event is as follows:

timestamp=2020-05-15T14:03:59 session_id=104172750410023 end_time=2020-05-15T14:04:00 policy=aitwlos client_address=169.254.100.2 client_port=123 server_address=176.58.127.165 server_port=123 ssl_ruleid=null ssl_status=null ssl_details=null event_type=session_closed

Session updates

The Session updates log entries capture user activity at a TCP layer for long-running sessions on a per-minute basis. Session updates help identify existing log entries (HTTP, SMTP, FTP, and session events) that correspond to still open sessions. Corresponding events maybe either ignored, or treated as “tentative”, since session closure may update certain attributes (that is, session end time).

Field Name Description
timestamp The time of the event, timestamp without Time Zone
session_id The session identifier
start_time The start time of the session, timestamp without Time Zone
end_time The time the session ended, timestamp without Time Zone
policy The configured security policy
client_address The source IP address (client-side)
client_port The source port (client-side)
server_address The destination IP address (server-side)
server_port The destination port address (server-side)
ssl_ruleid The matching rule in SSL Inspector rule, null if missing
ssl_status The status/action of the SSL session (INSPECTED,IGNORED,BLOCKED,UNTRUSTED,ABANDONED), null if missing
ssl_details Additional text detail about the SSL connection (SNI, IP Address), null if missing
event_type The marker for currently updating sessions (session_update)

A typical log entry for a session update event is as follows:

timestamp=2020-05-15T16:17:00 session_id=104173025813804 start_time=2020-05-15T16:15:53 end_time=2020-05-15T16:15:54 policy=testPolicy client_address=169.254.100.2 client_port=46249 server_address=169.254.100.1 server_port=53 ssl_ruleid=null ssl_status=null ssl_details=null event_type=session_update

IPS events

The IPS log entries capture traffic that triggered an IPS signature that belongs to one of the selected IPS class-types or categories and triggers a non-disabled rule action.

Field Name Description
timestamp The time of the event, timestamp without Time Zone
signature_id This ID of the rule
grouping_id The grouping ID for the rule. The grouping id + signature id specify the rule’s unique identifier.
classtype_id The numeric ID for the class type
source_address The source IP address of the packet
source_port The source port of the packet (if applicable)
destination_address The destination IP address of the packet
destination_port The destination port of the packet (if applicable)
protocol The protocol of the packet
blocked If the packet was blocked (true) or dropped (false)
category The application specific grouping for the signature
classtype The generalized threat signature grouping (unrelated to grouping id)
message The “title” or “description” of the signature
event_type The marker for IPS and IDS events (IPS/IDS)

A typical log entry for an IPS event is as follows:

timestamp=2020-05-15T14:04:50 signature_id=2002752 grouping_id=1 classtype_id=3 source_address=192.168.100.55 source_port=32838 destination_address=22.22.22.163 destination_port=80 protocol=6 blocked=false category=policy classtype=bad-unknown message="ET POLICY Reserved Internal IP Traffic" event_type=IPS/IDS